arne
uplegger.eu
 (3w ago)

@arne@uplegger.eu Well, just for my understanding. The command:
echo "Lorem ipsum" | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -out message.enc -pass file:shared_key.bin
will take the input string from echo to openssl. It then will

  1. use the content of shared_key.bin as password
  2. use PBKDF2 with an iteration of 100000 to generate a encryption key from the given password (shared_key.bin)
  3. use the PBKDF2 generated key for an aes-256-cbc encryption

The final result is encrypted data with the prepended salt (which was generated by runtime), e.g.: Salted__q�;��-�T���"h%��5�� ....

With a dummy script I now can generate a valide shared key within PHP ‘openssl_pkey_derive()’ - identical to OpenSSL.
I also can en-/decrypt salted data within my script, but not with OpenSSL. There are several parameters of PBKDF2 unknown to me.

Question:

  1. Is the salt, used by aes-256-cbc and PBKDF2 the same, prepended in the encrypted data?
  2. Witch algorithm/cipher is used within PBKDF2: sha1, sha256, …?
  3. What is the desired key length of PBKDF2 (https://www.php.net/manual/en/function.openssl-pbkdf2.php)?

To be continued …

⤋ Read More
arne
uplegger.eu
 (3w ago)

@arne@uplegger.eu With the OpenSSL option -p one can get an output of salt, key and iv. My stupid PHP-code can get everything right from the encrypted data (from OpenSSL) - except the iv! Damn “evpKDF” 😔

⤋ Read More
eapl.me
eapl.me
 (3w ago)

trying to implement it quickly, I get the same questions than you

# https://www.php.net/manual/en/function.openssl-pbkdf2.php
    $password = $sharedKey;
    $salt = openssl_random_pseudo_bytes(16);  # What's the salt length ?
    $keyLength = 20;  # What's the key length here ?
    $iterations = 100000;
    $generatedKey = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256');
    echo bin2hex($generatedKey)."\n";
    echo base64_encode($generatedKey)."\n";

    $iv = openssl_random_pseudo_bytes(16); // AES-256-CBC requires 16-byte IV
    $cipherText = openssl_encrypt($message, 'aes-256-cbc', $generatedKey, OPENSSL_RAW_DATA, $iv);
    return base64_encode($iv . $cipherText);

⤋ Read More

Participate

Login to join in on this yarn.